Identity, Privacy and Trust

Oct 6 2010   7:23AM GMT

Jailed for defending his privacy?

tobystevens tobystevens Profile: tobystevens


Online child protection is all over the news this week, with the resignation of Jim Gamble of CEOP (and part of his team) being rued by mainstream media, and welcomed by ISPs. However, a lower profile headline is equally interesting: a teenager jailed for 16 weeks for refusal to disclose his encryption password to police investigating indecent images on his PC.

This is a rare example of the RIPA paradox in action. Under the Regulation of Investigatory Powers Act (2000), police can demand that an individual hand over encryption keys as part of an investigation. Refusal to do so can result in a jail sentence which, in theory, could become indefinite if they stand by that refusal. The Act was much criticised for this when it was originally passed, since privacy campaigners pointed out the stalemate that might arise when an individual feels that they have the right to privacy over their personal data and refuses to disclose a key for that reason alone. On the other hand, it is quite possible that the individual in this particular case is not acting from a position of principle, and does in fact have something more serious hidden on his PC, in which case a 16 week sentence might be considered ‘getting off lightly’ from his point of view.

In general, this particular aspect of RIPA hasn’t worked out as badly as campaigners originally feared, since very few law-abiding individuals would choose jail over the principle of their privacy (although that by implication means that in all probability an individual who does opt for jail probably has something they wish to keep hidden from the authorities). But it is an ongoing worry, a case of legislating that old lie “nothing to hide, nothing to fear,” and when that approach is linked with child protection then great care is essential – after all, if refusal to disclose is taken as an admission of guilt, then individuals who find themselves wrongfully accused are obliged to disclose all their personal information, regardless of sensitivity, simply to clear their names.

3  Comments on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.
  • Robin Wilton
    You're right: this highlights the clash between the pernicious "nothing to hide, nothing to fear" canard and the principle of innocence until guilt is proven. The best approach might be to offer the accused the option of disclosing their key (and data) to a disinterested third party - such as a judge - to decide whether the request for decryption is justified. If the judge rules that it is, and the accused still refuses, a penalty could be imposed. That seems to me to be more proportionate and accountable than allowing the police to treat it as a 'strict liability' offence.
    0 pointsBadges:
  • guy herbert
    Robin is wrong I think. His solution would require the third party to prejudge the entire issue in the case of voluntary disclosure, and doesn't solve the problem that the process is initiated by police for their own reasons. The simplest and most comprehensive approach is to bring all RIPA requests themselves under court warrant, rather than have them a self-authorised and effectively arbitrary weapon of investigators. In order to demand a decryption key - or indeed communications data, or another intrusive surveillance measure - the investigators should have to satisfy a court that there was grounds for reasonable suspicion that it would yield evidence of the crime under investigation. Someone failing to disclose would then be disobeying the order of an independent court, not the interested instructions of police, and it would be much harder to suspect that the powers were being used capriciously or oppressively.
    0 pointsBadges:
  • Toby Stevens
    Regardless of approach, I think the point here is that the police shouldn't be the ones making RIPA decisions. Sooner or later someone who has genuinely lost or forgotten their crypto key is going to end up jailed for poor key management...
    0 pointsBadges:

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: